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Abstract 

Distributed fault-tolerance can mask the effect of a limited number of permanent faults, 
while self-stabilization provides forward recovery after an arbitrary number of transient fault 
hit the system. FTSS protocols combine the best of both worlds since they are simultaneously 
fault-tolerant and self-stabilizing. To date, FTSS solutions either consider static (i.e. fixed 
point) tasks, or assume synchronous scheduling of the system components. 

In this paper, we present the first study of dynamic tasks in asynchronous systems, consid- 
ering the unison problem as a benchmark. Unison can be seen as a local clock synchronization 
problem as neighbors must maintain digital clocks at most one time unit away from each other, 
and increment their own clock value infinitely often. We present many impossibility results for 
this difficult problem and propose a FTSS solution when the problem is solvable that exhibits 
optimal fault containment. 
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1 Introduction 



The advent of ubiquitous large-scale distributed systems advocates that tolerance to various 
kinds of faults and hazards must be included from the very early design of such systems. Self- 
stabilization [8, 10] is a versatile technique that permits forward recovery from any kind of 
transient fault, while Fault-tolerance [14] is traditionally used to mask the effect of a limited 
number of permanent faults. Making distributed systems tolerant to both transient and per- 
manent faults is appealing yet proved difficult [15, 1, 2] as impossibility results are expected in 
many cases. 

The seminal works of [1, 15] define FTSS protocols as protocols that are both fault tolerant 
and self-stabilizing, i.e. able to tolerate a few crash faults as well as arbitrary initial mem- 
ory corruption. In [1], impossibility results for size computation and election in asynchronous 
systems are presented, while unique naming is proved possible. In [15], a general transformer 
is presented for synchronous systems, as well as positive results with failure detectors. The 
transformer of [15] was proved impossible to transpose to asynchronous systems in [2] due to 
the impossibility of tight synchronization in the FTSS context. For local tasks (i.e. tasks whose 
correctness can be checked locally, such as vertex coloring) , the notion of strict stabilization was 
proposed [21, 19]. Strict stabilization guarantees that there exists a containment radius outside 
which the effect of permanent faults is masked, provided that the problem specification makes 
it possible to break the causality chain that is caused by the faults. 

It turns out that FTSS possibility results in fully asynchronous systems known to date are 
restricted to static tasks, i.e. tasks that require eventual convergence to some global fixed point 
(tasks such as naming or vertex coloring fall in this category). In this paper, we consider the 
more challenging problem of dynamic tasks, i.e. tasks that require both eventual safety and 
liveness properties (examples of such tasks are clock synchronization and token passing). Due to 
the aforementioned impossibility of tight clock synchronization, we consider the unison problem, 
that can bee seen as a local clock synchronization problem. In the unison problem [20], each 
node is expected to keep its digital clock value within one time unit of every of its neighbors' 
clock values (weak synchronization), and increment its clock value infinitely often. Note that in 
synchronous completely connected systems where clocks have discrete time unit values, unison 
induces tight clock synchronization. Several self-stabilizing solutions exist for this problem [17, 
6, 4, 5], both in synchronous and asynchronous systems, yet none of those can tolerate crash 
faults. 

As a matter of fact, there exists a number of FTSS results for dynamic tasks in synchronous 
systems. In [12, 22] provide self-stabilizing clock synchronization that is also wait free, i.e that 
tolerate napping faults, in complete networks. Also, [11] presents a FTSS clock synchronization 
for general networks. Still in synchronous systems, it was proved that even malicious (i.e. 
Byzantine) faults can be tolerated, to some extent. In [13, 3], probabilistic FTSS protocols were 
proposed for up to one third of Byzantine processors, while in [18, 9] deterministic solution 
tolerate up to one fourth and one third of Byzantine processors, respectively. Note that all 
solutions presented in this paragraph are for fully synchronous systems. 

In this paper, we tackle the open issue of FTSS solutions to dynamic tasks in asynchronous 
systems, using the unison problem as a case study. Our first negative results show that whenever 
two or more crash faults may occur, FTSS unison is impossible in any asynchronous setting. 
The remaining case of one crash fault drives the most interesting results (see Section 3). We 
first extract two key properties satisfied by all previous self-stabilizing asynchronous unison 
protocols: minimality and priority. Minimality means that nodes maintain no extra variables 
but the digital clock value. Priority means that whenever incrementing the clock value does not 
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break the local safety predicate between neighbors, the clock value is actually incremented in a 
finite number of activations, even when no neighbor modifies its clock value. Then, depending 
on the fairness properties of the scheduling of nodes, we provide various results with respect to 
the possibility or impossibility of unison. When the scheduling is unfair (only global progress 
is guaranteed), FTSS unison is impossible. When the scheduling is weakly fair (a processor 
that is continuously enabled is eventually activated), then it is impossible to solve FTSS unison 
by a protocol that satisfies either minimality or priority. The case of strongly fair scheduling 
(a processor that is activated infinitely often is eventually activated) is similar whenever the 
maximum degree of the graph is at least three. Our negative results still apply when the clock 
variable is unbounded and the scheduling is central (i.e. a single processor is activated at any 
time). 

On the positive side (Section 4), we present a FTSS protocol for connected networks of 
maximum degree at most two (i.e. rings and chains), that satisfies both minimality and priority 
properties. This protocol makes minimal system hypotheses with respect to the aforementioned 
impossibility results (maximum degree, scheduling, etc.) and is optimal with respect to the 
containment radius that is achieved (no correct processor is ever prevented from incrementing 
its clock). Table 1 provides a summary of the main results of the paper. Remaining open 
questions (denoted by question marks in the above table) are discussed in Section 5. 

2 Model, definitions and notations 

We consider a network as an undirected connected graph G = (V, E) where V is a set of 
processors and E is a binary relation that denotes the ability for two processors to communicate 
((p, q) € E if and only if p and q are neighbors) . Every processor p can distinguish its neighbors 
and locally label them, and we assume that p maintains N p , the set of its neighbors local labels. 
In the following, n denotes the number of processors, and A the maximal degree. If p and q 
are two processors of the network, we denote by d(p, q) the length of the shortest path between 
p and q (i.e the distance from p to q). In this paper, we assume that the network can be hit 
by crash faults, i.e. some processors can stop executing their actions permanently and without 
any warning to their neighborhood. Since the system is assumed to be fully asynchronous, no 
processor can detect if one of its neighbors is crashed or slow. 

We consider the classical local shared memory model of computation (see [10]) where com- 
munications between neighbors are modeled by direct reading of variables instead of exchange 
of messages. In this model, the program of every processor consists in a set of shared variables 
(henceforth, referred to as variables) and a finite set of rules. A processor can write to its own 
variables only, and read its own variables and those of its neighbors. Each rule consists of: 
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<label> ::< guard> — ><statement>. The label of a rule is simply a name to refer the action in 
the text. The guard of a rule in the program of p is a boolean predicate involving variables of p 
and its neighbors. The statement of a rule of p updates one or more variables of p. A statement 
can be executed only if the corresponding guard is satisfied (the processor rule is then enabled). 
The state of a processor is defined by the value of its variables. The state of a system (a.k.a. 
the configuration) is the product of the states of all processors. We also refer to the state of a 
processor and its neighborhood as a local configuration. We note T the set of all configurations 
of the system. 

Processor p is enabled in 7 £ T if and only if at least one rule is enabled for p in 7. Let a 
distributed protocol V be a collection of binary transition relations denoted by — >, on T. An 
execution of a protocol V is a maximal sequence of configurations e = 7071 . . . 7i7i+i ■ • ■ such 
that, Vi > 0,7, — > 7^+1 ((7i,7i+i) £^ is called a step) if ji+i exists (else is a terminal 
configuration). Maximality means that the sequence is either finite (and no action of V is 
enabled in the terminal configuration) or infinite. £ is the set of all possible executions of V . A 
processor p is neutralized in step 7* — > 7^+1 if p is enabled in 74 and is not enabled in 7;+i, yet 
did not execute any rule in step 7, — > 7i+i- 

A scheduler (also called daemon) is a predicate over the executions. In any execution, each 
step 7 — ► 7' results from a non-empty subset of enabled processors atomically executing a rule. 
This subset is chosen by the scheduler. A scheduler is central if it chooses exactly one enabled 
processor in any particular step, it is distributed if it chooses at least one enabled processor, 
and locally central if it chooses at least one enabled processor yet ensures that no two neighbors 
are chosen concurrently. A scheduler is synchronous if it chooses every enabled processor in 
every step. A scheduler is asynchronous if it is either central, distributed or locally central. A 
scheduler may also have some fairness properties. A scheduler is strongly fair (the strongest 
fairness assumption for asynchronous schedulers) if every processor that is enabled infinitely 
often is eventually chosen to execute a rule. A scheduler is weakly fair if every continuously 
enabled processor is eventually chosen to execute a rule. Finally, the unfair scheduler has the 
weakest fairness assumption: it only guarantees that at least one enabled processor is eventually 
chosen to execute a rule. As the strongly fair scheduler is the strongest fairness assumption, any 
problem that cannot be solved under this assumption cannot be solved for all weaker fairness 
assumptions. In contrast, any algorithm performing under the unfair scheduler also works for 
all stronger fairness assumptions. 

Fault-containment and Stabilization In a particular execution e, we distinguish the 
set of processors V* that never crash in e (i.e. the set of correct processors). By extension, C* 
denotes the set of correct processors in C C V. As crashed processors cannot be distinguished 
from slow ones by their neighbors, we assume that variables of crashed processors are always 
readable. We now recall definitions about self-stabilization and fault-tolerant self-stabilization. 

Definition 1 (self-stabilization [8]) LetT be a task, and St a specification ofT. A protocol 
V is self-stabilizing for St if and only if for every configuration 70 £ T, for every execution 
6 = 7o7i •■ ■; there exists a finite prefix 7071 ... 7; of e such that all executions starting from 7/ 
satisfies St- 

Definition 2 ((/, r)— containment [21]) Let T be a task, and St a specification of T . A 
configuration 7 G T is (/, r) — contained for specification St if and only if, given at most f 
crashed processors, every execution starting from 7, always satisfies St on the sub-graph induced 
by processors which are at distance r or more from any crashed processor. 
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Definition 3 (fault-tolerant self-stabilization (FTSS) [1, 15]) LetT be a task, and St a 
specification of T . A protocol V is fault-tolerant and self-stabilizing with radius r for f crashed 
processors (and denoted by (f,r) — ftss) for specification St if and only if, given at most f 
crashed processors, for every configuration 70 £ T, for every execution e = 7071 • ■ ■, there exists 
a finite prefix 7071 ■ ■ ■ 7; of e such that 7/ is (/, r)— contained for specification St- 

Problem and specifications In the following, H p is the variable of processor p that 
represents its clock value. Values are taken in the set of natural integers (that is, the number 
of states is unbounded, and a total order can be defined on clock values). We now define two 
notions related to local clock synchronization: the first one restricts the safety property to 
correct processors, while the second one considers all processors. 

Definition 4 (weakly synchronized configurations T*) Let be 7 £ T. We say that 7 is 
weakly synchronized (denoted by 7 6 TJ) if and only if : 

VpeV*,Vq€N;,\H p -H q \ <1 

Definition 5 (uniform weakly synchronized configurations Ti) Let be 7 £ T. We say 

that 7 is uniformly weakly synchronized (denoted by 7 £ T\) if and only if : 

V P eV,VqeN p ,\H p -H q \ <i 

Remark 1 // no processor is crashed, we have: Ti = T*, on the contrary case, we have: 

Ti c n 

For example, if G — (V, E) with V = {po,Pi,P2} and E = {{po,pi}, {pi,P2}}, then config- 
uration 7 defined by H pa = 0, H P1 = H pr , = 2, and where po is crashed satisfies 7 £ and 
7£IY 

We now specify the two variants of our problem (depending whether safety property is 
extended to crashed processors): 

Specification 1 (asynchronous unison — AU) 

Let be 70 £ T. An execution e = 7071 . . . starting from 70 is a legitimate execution for AU if 
and only if: 

• Safety: Mi £ N, 7l £ T\. 

• Liveness: Each processor p £ V* increments its clock infinitely often in e. 
Specification 2 (uniform asynchronous unison — UAU) 

Let be jo £ T. An execution e = 7071 . . . starting from 70 is a legitimate execution for UAU if 
and only if: 

• Safety: Vi £ N, 7, £ Ti . 

• Liveness: Each processor p £ V* increments its clock infinitely often in e. 
Remark 2 Note that: 

• An algorithm which complies to the second specification complies to the first (the converse 
is not true). 

• These two specifications do not forbid decrementation of clocks. 
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We now present two key properties satisfied by all known self-stabilizing unison protocols. 
Those properties are used in the impossibility results presented in Section 3. 

Definition 6 (minimality) A unison is minimal if and only if the set of variables of each 
processor is reduced to its clock. 

Remark 3 As the execution of a rule by a processor always modifies its state, every execution 
of rule by a processor by a minimal unison modifies its clock value. 

Definition 7 (priority) A unison is priority if and only if it satisfies the following property: 
if there exists a processor p such that \/q €E N p , (H q = H p or H q = H p + 1) in a configuration 
7i, then there exists a fragment of execution e = 7$ . . . ji+k such that: 

• only p is chosen by the scheduler during e. 

• Hp is not modified during ji+j — ► Ji+j+i, for j € {0, . . . , k — 2}. 

• Hp is incremented during 7^-1 — > li+k- 

Remark 4 If a priority unison is also minimal, then k = 1 since every execution of a rule by 
a processor modifies its clock value. 

3 Impossibility results 

In this section we present a broad class of impossibility results related to the FTSS unison. 
For the sake of the generality we assume the most constrained scheduler (the central one). 
Additionally we assume each processor has an infinite memory. 

3.1 Preliminaries 

First, we introduce two preliminary results which show that in any execution of a (/, r)— ftss 
algorithm for AU (under an asynchronous daemon) a processor can not modify its clock value 
if it has two neighbors q and q' such that: H q = H p — 1 and H q > = H p + 1. 

Lemma 1 Let A be a (f,r)—ftss algorithm for AU (under an asynchronous daemon). Let 7 
be a configuration in which a processor p (such that H p > 1) has two neighbors q and q' such 
that: H q = H p — 1 and H q > = H p + 1. If p executes an action of A during the step 7 — ► 7', 
then this action does not modify the value of H p . 

Proof. Let A be a (/, r)— ftss algorithm for AU (under an asynchronous daemon). Let G 
be a network and 7 be a configuration of G such that no processor is crashed, 7 s Ti and there 
exists a processor p (such that H p > 1) which has two neighbors q and q' such that: H q = H p — 1 
and H q i = H p + 1. 

Assume p executes an action of A during the step 7 — ► 7' (and only p) such that this action 
modifies the value of H p . Note that H q and H q > are identical in 7 and 7'. Let a be the value 
of Hp in 7 and a' be the value of H p in 7'. alpha and alpha 1 verify one of the two following 
relations: 

Case 1: a < a'. 

This implies that \a' — H q \ = \a' — a\ + \a — H q \ > 1 (since \a' — a\ > 1 by hypothesis and 
\a-H q \ = l). 
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Case 2: a' < a. 

This implies that \a! — H q i\ = \a' — a\ + \a — H q i\ > 1 (since \a' — a\ > 1 by hypothesis 
and \a — H q > \ = 1). 

In the two above cases, 7' ^ T lf hence the safety property of A is not verified. □ 

Lemma 2 Let A be a (f,r)—ftss algorithm for minimal AU (under an asynchronous daemon). 
Let 7 be a configuration in which a processor p (such that H, p > 1) has two neighbors q and q' 
such that: H q = H p — 1 and H q > = H p + 1. Processor p is not enabled for A in 7. 

Proof. This is a direct consequence of Lemma 1. □ 



3.2 With respect to the number of crashed processors 

Proposition 1 For any natural number r, there exists no (f,r)—ftss algorithm for AU under 
an asynchronous daemon if f > 2. 

Proof. Let r be a natural number. Let A be a (2,r)— ftss algorithm for AU (under an 
asynchronous daemon). Consider a network represented by the following graph: G = (V,E) 
with V = {po, ■ ■ ■ ,P2( r +i)} and E = {{pi,p i+ i}\i € {0, . . . , 2r + 1}}. Let 7 be the following 
configuration of the network: po and P2( r +i) are crashed and Vi 6 {0, . . . , 2(r + 1)}, H Pi = i (all 
the other variables can have any value). 

By Lemma 1, no processor between P2 and P2r+i can change its clock value in every execution 
starting from 7. However, p r +i must verify the specification of the problem since the nearest 
crashed processor is at r hops away. This contradicts the liveness property of A. □ 

3.3 With respect to unfair daemon 

Proposition 2 For any natural number r, there exists no {l,r)—ft,ss algorithm for AU under 
an unfair daemon. 

Proof. Let r be a natural number. Assume that there exists an (l,r)— ftss algorithm A for 
AU under an unfair daemon. Consider a network, G, of diameter greater than 2r + 2 1 . Let p 
be a processor of G. Since the daemon is unfair, it can choose to never activate p unless this 
processor becomes the only enabled processor of G. 

Assume that there exists a configuration 7 such that no processor is crashed and in which 
p is the only enabled processor of the network. The asynchronism assumption makes this con- 
figuration indistinguishable from 7', the same configuration in which p is crashed. We assumed 
that in 7 no other processor but p is enabled. Consequently, the network is starved in 7'. This 
contradicts the liveness property of A, hence no such configuration 7 exists. 

Since there exists no configuration in which p is the unique enabled processor (in every 
execution starting from an arbitrary configuration), the unfair daemon can starve p infinitely 
(if no crash occurs). This contradicts the liveness property of A. □ 

x At least one processor verifies the specification of the AU problem 
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Figure 1: The three configurations used in the proof of Lemma 3 (the numbers represent clock 
values and the double circles represent crashed processors). 

3.4 With respect to weakly fair daemon 

In this section we prove there exists no (l,r)— ftss algorithm for minimal or priority AU under 
a weakly fair daemon for any r value. The first impossibility result uses the following property: 
if there exists an algorithm A which is (1, r) — ftss for minimal AU under a weakly fair daemon 
for a natural number r, then an arbitrary processor p is not enabled for A if it has only one 
neighbor p' and if H p = H p i (proved in Lemma 3 formally stated below). Then, we show that 
A starves the network reduced to a two-correct-processor chain in which all clock values are 
identical (see Proposition 3). 

Lemma 3 If there exists an algorithm A which is (l,r) — ftss for minimal AU under a weakly 
fair daemon for a natural number r, then an arbitrary processor p is not enabled for A if it has 
only one neighbor p' and if H p = H p > . 

Proof. Let r be a natural number. Let A be a (l,r)— ftss algorithm for the minimal AU 
under a weakly fair daemon. 

Let G be the network reduced to a chain of length r + 2. Assume processors in G labeled as 
follows: po,Pi, ■ ■ ■ iPr+2- Consider the following configurations of G (see Figure 1): 

• 71 defined by Vi £ {0, . . . , r + 1}, H Pi = i and H Pr+2 = r + 1 and po crashed. 

• 72 defined by Vi £ {0, . . . , r + 1}, H Pi = 2r + 2 — i and H Pr+2 = r + 1 and po crashed. 

• 73 defined by Vi £ {0, . . . , r + 2}, H Pi = i and pa crashed. 

By Lemma 2, processors from p\ to p r are not enabled in such configurations (and remain 
not enabled until one of the processors within po . . .p r +i execute a rule). 

Note that for the processor p r +2, the configurations 71 and 72 are indistinguishable (otherwise 
the unison would not be minimal). We are going to prove the result by absurd. Assume p r +2 is 
enabled in 71 and 72 . The safety property of A implies that the enabled rule for p r +2 modifies 
its clock either to r + 2 or to r. In the following we discuss these cases separately: 
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Case 1: The enabled rule for p r +2 modifies its clock to r + 2. 

Assume w.r.g. p r +2 is the only activated processor hence its clock takes the value r + 2. 
The following cases are possible in the new configuration: 

Case 1.1: p r +2 is not enabled. 

If the execution started from 71, then no processor is enabled, which contradicts the 
liveness property of AU. 

Case 1.2 : p r +2 is enabled and after execution its clock modifies to r + 1. 

Let e be an execution starting from 71 in which only p r +2 is activated. Consequently, 
the clock of the processor p r +2 takes infinitely the following sequence of values: r + 
l,r + 2. In this execution, p r +2 executes infinitely often while processors from po to 
p r are never enabled. Note that p r +i is not enabled when H Pr+2 = r + 2, hence this 
processor is never infinitely enabled. Overall, this execution is allowed by the weakly 
fair scheduler, however it starves p r +i, which contradicts the liveness property of A. 

Case 1.3 : p r +2 is enabled and after execution it modifies its clock to r. 
The execution of this rule leads to case 2. 

Case 2 : The enabled rule for p r +2 modifies its clock into r. 

Assume w.r.g. p r +2 is the only activated processor and after its execution the new config- 
uration verifies one of the the following cases: 

Case 2.1 : p r +2 is not enabled. 

If the execution started from 72, then no processor is enabled, which contradicts the 
liveness property (the network is starved). 

Case 2.2 : p r +2 is enabled and its clock modifies to r + 1. 

Let e be an execution starting from 72 which contains only actions of p r +2 (its clock 
takes infinitely the following value sequence : r+1, r). In this execution, p r +2 executes 
a rule infinitely often (by construction) and processors from p to p r are never enabled. 
Note that p r +i is not enabled when H Pr+2 = r, so this processor is never infinitely 
enabled. In conclusion, this execution verifies the weakly fair scheduling. 
Note that this execution starves p r +i, which contradicts the liveness property of A. 

Case 2.3 : p r +2 is enabled and the execution of its enabled rule modifies its clock to r + 2. 
The execution of these rule leads to case 1. 

Overall, the only two possible cases (cases 1.3 and 2.3) are the following: 

1. Pr+2 is enabled for modifying its clock value to r when H Pr+2 = r + 2 and H Pr+1 = r + 1. 

2. p r +2 is enabled for modifying its clock value to r + 2 when H Pr+2 = r and H Pr+1 = r + 1. 

Let e be an execution starting from 73 which contains only actions of p r +2 (its clock takes 
infinitely the following sequence of values: r + 2,r). In this execution, p r +2 executes a rule 
infinitely often (by construction) and processors in po . . . p r are never enabled. Note that p r +i 
is not enabled when H Pr+2 = r + 2, so this processor is never infinitely enabled. In conclusion, 
this execution verifies the weakly fair scheduling. 

This execution starves p r +i, which contradicts the liveness property of A and proves the 
result. □ 

Proposition 3 For any natural number r, there exists no {l,r)—ftss algorithm for minimal 
A U under a weakly fair daemon. 
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Figure 2: Initial configurations used in the proof of Proposition 4 (the numbers represent clock 
values and the double circles represent crashed processors). 

Proof. Let r be a natural integer. Assume there exists a (l,r)— ftss algorithm A for the 
minimal AU under a weakly fair daemon. By Lemma 3, an arbitrary processor p is not enabled 
for A if it has only one neighbor p' and if H p = H p > . 

Let G be a network reduced to a chain of 2 processors p and p' . Let 7 be a configuration of 
G in which H p = H p i and no crashed processor. Notice that no processor is enabled in 7 which 
contradicts the liveness property of A and proves the result. □ 

The second main result of this section is that there exists no (1, r)— ftss algorithm for priority 
AU under a weakly fair daemon for any natural number r (see Proposition 4). 

To prove this result by contradiction we construct an execution (allowed by a weakly fair 
scheduler) starting from the configuration 7$ shown in Figure 2. We prove that this execution 
starves p r +i which contradicts the liveness property of the algorithm. 

Proposition 4 For any natural number r, there exists no (l,r)—ftss algorithm for priority AU 
under a weakly fair daemon. 

Proof. Let r be a natural number. Assume that there exists a (l,r)— ftss algorithm A 
for priority AU under a weakly fair daemon. Let G be the network reduced to a chain of 
length r + 2. Assume that processors in G are labeled as follows: Po,pi, . ■ ■ ,p r +2- Let 7$ be a 
configuration and po crashed and Vi £ {0, . . . , r + 2}, H Pi — i (See Figure 2). Note that all the 
other variables can have any value. 

We construct a fragment of execution e' = 7o7i72 ■ ■ • 7r+i starting from 7$ such that Vi £ 
{0, 1, . . . , r}, the step 7° — > 7° +1 contains only the action of Pi+\ if p%+i is enabled. By Lemma 
1, this fragment does not modify the clock value of processors in po . . .p r +i- 

We also construct a fragment of execution, 6q , starting from 7° +1 using the following cases: 

Case 1: p r +2 is not enabled in 7^+1- 
Let Cq be e (empty word). 

Case 2: p r +2 is enabled in 7^ +1 . 

In the sequel we distinguish following cases: 

Case 2.1: The execution of a rule by p r +2 in %+i doesn't modify its clock value. 

Let 6q be 7° +1 7°_|_ 2 m which the step 7° +1 — > 7° +2 contains only the execution of a 
rule by p r +2- 

Case 2.2: The execution of a rule by p r +2 in 7° +1 modifies its clock value. 

The safety property of A implies that the clock of p r +2 takes the value r or r + 1. 
Case 2.2.1: The execution of a rule by p r +2 in 7° +1 modifies its clock value into 
r + 1. 

Since A is a priority unison, there exists by definition a fragment of execution 
6 o = lr+ilr+2 ■ ■ ■ Ir+k which contains only actions of p r +2 such that (i) in the 
steps from 7° +2 to lr+k-i the clock value of p r +2 is not modified while (ii) in the 
step Jr+k-i "~ * lr+k the clock value of p r +2 is incremented. 
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Case 2.2.2: The execution of a rule by p r +2 in 7°+i modifies its clock value into r. 
Since A is a priority unison, there exists by definition a fragment of execution 
e a = 7r°+i7r+2 ■ ■ • 7r+fc which contains only actions of p r +2 such that (i) in the 
steps from 7° +2 to 7 I+fc _i the clock value of p r +2 is not modified and (ii) in the 
step 7° +fe _ 1 — > lr+k the clock of p r +2 takes the value r + 1. 
Since A is a priority unison, there exists by definition a fragment of execution 
e b = 7° + fe7°+fc+i ■ ■ ■ lr+j which contains only actions of p r +2 such that (i) in the 
steps from 7° +fe+1 to 7°+j-i the clock value of p r +2 is not modified and (ii) in 
the step Jr+j-i ~ * 7r+j the clock value of p r +2 is incremented. 
Let €q be e a e(,. 

In all cases, we construct a fragment of execution eo = e e ' such that its last configuration 
(let us denote it by 7q) verifies: the values of the network clocks are identical to those in 7° (the 
others variables may have changed). Then, we can reiterate the reasoning and obtain a fragment 
of execution ei, 62 . . . (respectively starting from 7g, 7q, ■ ■ ■) that verifies the same property. 

We finally obtain an execution e = eo£i . . . which verifies: 

• No processor is infinitely enabled without executing a rule (since all enabled processors in 
7o execute a rule or are neutralized during ej). Consequently e is an execution that verifies 
the weakly fair scheduling. 

• The clock of the processor p r +i never changes (whereas d(po,p r +i) = T + 1). 

This execution contradicts the liveness property of A which is a (l,r)— ftss algorithm for 
priority AU under a weakly fair daemon by hypothesis. □ 

3.5 With respect to strongly fair daemon 

In this section we prove that there exists no (l,r)— ftss algorithm for minimal or priority AU 
under a strongly fair daemon if the degree of the network is greater or equal to 3. In order to 
prove the first impossibility result, we use the following property: if a processor p has only one 
neighbor q such that H q = r + 1 and if \H P — H q \ < 1, then p is enabled in any (l,r)— ftss 
algorithm for minimal AU (see Lemma 4) . Then we construct a strongly fair infinite execution 
which starves a processor more than r hops away from a crashed processor. This execution 
contradicts the liveness property of the AU problem (see Proposition 5). 

Lemma 4 Let A a (1, r)—ftss algorithm for minimal AU. If a processor p has only one neighbor 
q such that H q = r + 1 and if \H P — H q \ < 1, then p is enabled in A. 

Proof. Assume that there exists an algorithm A which is (1, r)— ftss for minimal AU. Let G 
be a network that executes A and which contains at least one processor p which has only one 
neighbor q. Assume H q = r + 1 and \H P — H q \ < 1. Then, we have: 

1. If H p = r, then p is enabled for at least one rule of A. Otherwise, the network reduced to 
the chain p$, . . . ,p r , q,p in the configuration 71 defined by Vi £ {0, . . . , r}, H Pi = 2r + 2 — i, 
H q = r + 1, Hp = r where po is crashed (see Figure 3) is starved since no correct processor 
is enabled (by Lemma 2). 

2. If H p = r + 1, then p is enabled for at least one rule of A. Otherwise, the network reduced 
to the chain q,p in the configuration 72 defined by H q = H p = r + 1 and in which no 
processor is crashed (see Figure 3) is starved since no correct processor is enabled. 
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Figure 3: The three configurations used in the proof of Lemma 4 (the numbers represent clock 
values and the double circles represent crashed processors). 

3. If Hp = r+2, then p is enabled for at least one rule of A. Otherwise, the network reduced to 
the chain po: ■ • ■ ,Pr, Q,P in the configuration 73 defined by Vi <E {0, . . . , r}, H pi i, H q = r+1, 
H p — r + 2 and po crashed (see Figure 3) is starved since no correct processor is enabled 
(by Lemma 2). 

□ 

Proposition 5 For any natural number r, there exists no (l,r)—ftss algorithm for minimal 
A U under a strongly fair daemon if the graph modeling the network has a degree greater or 
equal to 3. 

Proof. Let r be a natural number. Assume that there exists a (l,r)— ftss algorithm A 
for the minimal AU under a strongly fair daemon in a network with a degree greater or equal 
to 3. Let G be the network defined by: V = {po, . . . ,p r +i, Q, q'} and E = {{pi,pi + i},i G 
{0, . . . , r}} U {{pr+i, q}, {Pr+i, q'}}- 

As A is deterministic, q and q' must behave identically if they have the same clock value (in 
this case, their local configurations are identical). If H Pr+1 = r + 1 and \H Pr+1 — H q \ < 1, there 
exists three local configurations for q: (1) H q = r, (2) H q = r + 1 or (3) H q = r + 2 (the same 
property holds for q'). 

By Lemma 4, Processor q (respectively q 1 ) is enabled in any configuration in which H Pr+1 = 
r + 1 and \H Pr+1 — H q \ < 1 (respectively \H Pr+1 — H g >\ < 1). Moreover, in this case, the enabled 
rule for q (respectively q 1 ) modifies its clock into a value in {r, r + 1, r + 2} \ H q (respectively 
{r, r + 1, r + 2} \ H q >) by the safety property of A. 

For each of the three possible local configurations for q or q' (studied in the proof of Lemma 
4), A can only allow 2 moves. Hence, there exists 8 possible moves for A. Let denote each of 
these possibilities by a triplet (a, b, c) where a, b and c are the clock value of q after the allowed 
move when H q = r, H q = r + 1, and H q = r + 2 respectively. Note that, due to the determinism 
of A, moves allowed for q' and q are identical. There exists the following cases: 

Case 1: (r + 1, r, r) 

Let 71 be the configuration of G defined by: Vi G {0, . . . , r + 1}, H Pi = 2r + 2 — i, H q = r + 1 
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Figure 4: The three configurations used in the proof of Proposition 5 (the numbers represent clock 
values and the double circles represent crashed processors). 

and H q > = r and po crashed (see Figure 4) . Note that only q and q' are enabled (by Lemma 
2). Assume q executes. Hence, its clock takes the value r. By Lemma 2, only q and q' are 
enabled. Assume now that q' executes. Its clock takes the value r + 1. This configuration 
is identical to 71 (since processors are anonymous), we can repeat the above reasoning in 
order to obtain an infinite execution in which processors pi,-.. ,Pr+i are never enabled 
(see Figure 5 for an illustration when r = 1). 

Case 2: (r + l,r + 2,r) 

Let 72 be the configuration of G defined by: Vi £ {0, ...,r + l},H Pi i, H q = r and 
H q i = r + 2 and po crashed (see Figure 4) . Note that only q and q' are enabled (by Lemma 
2). Assume q executes. Its clock takes the value r + 1. By Lemma 2, only q and q' are 
enabled. Assume q executes its rule again. Its clock takes the value r + 2. By Lemma 2, 
only q and q' are enabled. Assume now that q' executes its rule. Its clock takes the value 
r. This configuration is identical to 72 (since processors are anonymous). We can repeat 
the reasoning in order to obtain an infinite execution in which processors in pi, . . . ,p r +i 
are never enabled. 

Case 3: (r+l,r,r + 1) 

Similar to the reasoning of case 1. 

Case 4: (r + 1, r + 2, r + 1) 

Let 73 be the configuration of G defined by: Vi £ {0, . . . , r + 1}, H Pi = i } H q = r + 2 and 
H q ' = r+1 and in which p is crashed (see Figure 4) . Note that only q and q' are enabled 
(by Lemma 2). Assume q' executes its rule. Its clock takes the value r + 2. By Lemma 
2, only q and q' are enabled. Assume now that q executes its rule. Its clock takes the 
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Figure 5: Example of the execution constructed in case 1 of Proposition 5 when r = 1 (the numbers 
represent clock values and the double circles represent crashed processors). 

value r + 1. This configuration is identical to 73 (since processors are anonymous). We 
can repeat the reasoning in order to obtain an infinite execution in which processors in 
Pi, . . . ,p r +i are never enabled. 

Case 5: (r + 2, r, r) 

Let 72 be the configuration of G as defined in the case 2 above. Note that only q and q' 
are enabled (by Lemma 2). Assume q executes its rule. Its clock takes the value r + 2. 
By Lemma 2, only q and q' are enabled. Assume now that q' executes its rule. Its clock 
takes the value r. This configuration is identical to 72 (since processors are anonymous). 
We can repeat the reasoning in order to obtain an infinite execution in which processors 
pi, . . . ,p r +i are never enabled. 

Case 6: (r + 2,r + 2,r) 

The reasoning is similar to the case 5. 

Case 7: (r + 2,r,r + 1) 

Let 72 be the configuration of G as defined in the case 2 above. Note that only q and q' 
are enabled (by Lemma 2). Assume q executes its rule. Its clock takes the value r + 2. 
By Lemma 2, only q and q' are enabled. Assume q 1 executes its rule. Its clock takes 
the value r + 1. By Lemma 2, only q and q' are enabled. Assume q' executes again its 
rule. Its clock takes the value r. This configuration is identical to 72 (since processors are 
anonymous). We can repeat the above scenario in order to obtain an infinite execution in 
which processors pi, .. . ,p r +i are never enabled. 

Case 8: (r + 2,r + 2,r+ 1) 

The proof is similar to the case 4. 
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Figure 6: The initial configuration for the proof of Proposition 6 (the numbers represent clock values 
and the double circles represent crashed processors). 

Overall, we can construct an infinite execution in which processor po is crashed, processors 
from pi to Pr+i are never enabled and processors q and q' execute a rule infinitely often. This 
execution verifies the strongly fair scheduling. Notice that in this execution p r +i is never enabled, 
hence it is starved. This contradicts the liveness property of A and proves the result. □ 

The second main result of this section is that there exists no (1, r)— ftss algorithm for priority 
AU under a strongly fair daemon for any natural number r if the degree of the graph modeling 
the network is greater or equal to 3. (see Proposition 6). 

To prove this result we assume the contrary and we construct an execution starting from 
the configuration 7° of Figure 6 verifying the strongly fair scheduling which starves p r +i, that 
contradicts the liveness of the algorithm. 

Proposition 6 For any natural number r , there exists no (1, r)—ftss algorithm for priority A U 
under a strongly fair daemon if the graph modeling the network has a degree greater or equal to 
3. 

Proof. Let r be a natural number. Assume that there exists a (l,r)— ftss algorithm A 
for priority AU under a strongly fair daemon even if the graph modeling the network has a 
degree greater or equal to 3. Let G be the network defined by: V = {po, . . . ,p r+ i,q,q'} and 
E = {{pi,pi + i} 7 is {0, . . . , r}} U {{p r+ i, q}, {p r +i, q'}}- Note that G has a degree equal to 3. 

Let 7q be the following configuration: Vi <E {0, . . . , r + 1}, H Pi = i, H q = H q > = r + 2 and 
Po crashed (see Figure 6). Note that, for all execution e starting from 7°, the processors q and 
q' are allowed to modify their clocks in a finite time (otherwise the network would be starved 
following Lemma 1). 

Let e° = 7q7i ■ ■ ■ 7° be a fragment of execution with the following properties: 

1. k > 1 if there exists i£ {0, . . . , r + 1} such that pi is enabled in 7°; k = otherwise 

2. it contains no modification of clock values 

3. 7° is the first configuration in which q or q' are enabled for the modification of their clock 
value. 

We consider the following scheduling scenario: in each step in e° is executed the least recently 
executed processor in the set of enabled processors. Note that this scenario is compatible with 
a strongly fair scheduling. Let us study the following cases: 

Case 1: q is enabled in 7° for a modification of its clock value. The safety property of A implies 
that the value of H q should be modified to either r or r + 1. 

Case 1.1: The value of H q is modified to r. 

Since A is a priority unison, there exists by definition a fragment of execution e°j = 
7fc7fe+i • • ■ "ik+r which contains only actions of q such that (i) in the steps from 7° to 
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7fe+ r -i the clock value of q is not modified and (ii) in the step 7° +r _ 1 — ► 7° +r . the 
clock value of q is incremented. 

Since A is a priority unison, there exists by definition a fragment of execution e° 2 = 
7fc+r7fc+r+i ■ ■ ■ "1k+j which contains only executions of a rule by q such that (i) in the 
steps from 7° +r to 7° +J _ 1 the clock value of q is not modified and (ii) in the step 
"fk+j-i ~~ > lk+j the clock value of q is incremented. 
Let e° b be e° x e° 2 . 
Case 1.2: The value of H q is modified to r + 1. 

Since .4 is a priority unison, there exists by definition a fragment of execution = 
7°7fe+i ■ • ■ 7fc+r which contains only actions of q such that (i) in the steps from 7° to 
7fe +r _i the clock value of q is not modified and (ii) in the step 7° , r _ 1 — ► 7° +r the 
clock value of g increments. 

If q' is enabled in the last configuration of e° 2 , we can construct e° similarly to e" using 
processor q' . Otherwise, let e° be e (the empty word). 

Case 2: q' is enabled in 7° for a modification of its clock value. 

We can construct e° and e° similar to the case 1 by reversing the roles of q and q' . 

Let us define e° = e°e[)e°. Notice that the clock values are identical in the first and the last 
configuration of e°. This implies that we can infinitely repeat the previous reasoning in order 
to obtain an infinite execution e = e°e 1 . . . which satisfies: 

• No correct processor is infinitely often enabled without executing a rule (since q and q' 
execute a rule infinitely often and others processors are chosen in function of their last 
execution of a rule, that implies that an infinitely often enabled processor executes a rule 
in a finite time) . This execution verifies a strongly fair scheduling. 

• The clock value of p r +i is never modified (whereas d(po,p r +i) = r + 1). 

This execution contradicts the liveness property of A, which implies the result. □ 

4 A protocol for chains and rings 

In the following we consider some possibility results related to the asynchronous unison on chains 
and rings (networks with a degree inferior to 3). 

In this section, we propose an (1, 0)— ftss algorithm for AU under a locally central strongly 
fair daemon for chains and rings. The proposed algorithm is both minimal and priority. 

4.1 Algorithm description 

Each processor checks if it is "locally synchronized", i.e. if the drift between its clock value and 
the clock values of its neighbors does not exceed 1. 

If a processor is "locally synchronized", it modifies its clock value in a finite time in order 
to preserve this property. If a processor is not synchronized with at least one of its neighbors, 
it makes a correction in a finite time in order to correct its clock value. More precisely, each 
processor p has only one variable: its clock denoted by H p . At each step, every processor p 
computes a set of possible clock values, i. e. the set of clock values which have a drift of at most 

2 In this case, q' was already enabled in the last configuration of e° 
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Figure 7: An example of execution of UJ-TSS on a chain with no crash (the numbers represent 
clock values and squared processors in 7, executed the indicated rule during the step 7, — ► 7i+i). 

1 with respect to all neighbors of p (note that computing this set relies only on the clock values 
of p's neighbors, but not on the one of p). This set is denoted by Inter{N p ). 
Then, the following cases may appear: 

• \Inter{N p )\ = 0: p has two neighbors and the drift between their clock values is strictly 
greater than 2. In this case, p is enabled to take the average value between these two clock 
values if its clock does not have yet this value. 

• \Inter(N p )\ = 1: p has two neighbors and the drift between their clock values is exactly 
2. In this case, p is enabled to take the average value between these two clock values if its 
clock does not have yet this value. 

• \Inter(N p )\ > 2: p has one neighbor or the drift between the clock values of its two 
neighbors is strictly less than 2. In this case, p is enabled to modify its clock value as 
follows: if H p + 1 G Inter (N p ), then H p is modified to H p + 1, otherwise H p is modified 
to min{Inter(N p )} . 

Note that our correction rules use the average instead of maximum or minimum (which are 
frequently used in the literature, see e.g. [9, 11, 12, 22]) in order to not favors the clock value 
of a particular neighbor. That is, the chosen neighbor may be crashed and prevent the system 
to reach the synchronization. 

The detailed description of our solution is proposed in Algorithm 1. In order to better 
understand our algorithm Figures from 7 to 10 propose some toy examples. 

4.2 Correction Proof roadmap 

In this section, we present the key ideas in order to prove the correctness of our algorithm. 
First, we introduce some useful notations: 

Notation 1 Letp be a processor. If q denotes one of its neighbors, we denote the other neighbor 
by q (if this neighbor exists). 
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Figure 8: An example of execution of UJ-TSS on a chain with a crash (the numbers represent clock 
values, the double circles represent crashed processors and squared processors in 7^ executed the 
indicated rule during the step ji — > 7i+l)- 




18 



Po (AT") Po 




P3 P2 (C 2 ) P2 P3 ■ P2 



PO PO (N) 




P3 P2 P3 P2 P3 



Figure 10: An example of execution oilATl SS on a ring with a crash (the numbers represent clock 
values, the double circles represent crashed processors and squared processors in ji executed the 
indicated rule during the step ji — ► 7i+i)- 



Algorithm 1 (UTTSS): AU (minimal and priority) (l,0)-ftss. 



Data: 

- N p : set of neighbors of p. 
Variable: 

- H p : natural integer representing the clock of the processor. 
Macros: 

Ja+lif a + l<E A 
1 min{A} otherwise 
{H q -l,H q ,H q + l}if H q ^0 
{H q , H q + 1} otherwise 

- Inter (N p ) = f] poss(q). 

geNp 

Rules: 

/* Normal rule */ 

(AT) :: \Inter(N p )\ > 2 — > H p := next (Inter (N p ), H p ) 
/* Correction rules */ 



For ACN and a € N, next(A, a) 
For q € N p , poss(q) 



(Ci) :: (\Inter(N p )\ = 0) A H p ^ 



E n q 

q£N p 

\N„\ 



A [Hp^ 



(C 2 ) :: (Inter(Np) = {h}) A (H p ^ h) — ► H p := h 



E H q 

q£N p 
\N P \ 



Hn 



E H q 

q£N p 

\Nr\ 
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Notation 2 We denote the value of H p for a processor p in a configuration 7; by {Hp) 1 ' . 
We denote the value of Inter (N p ) for a processor p in a configuration ji by (Inter(N p )) 1 \ 

In order to prove that UJ-TSS is a (l,0)-ftss algorithm for AU under a locally central 
strongly fair daemon on a chain and on a ring (see Proposition 11), we prove in the sequel the 
following properties: 

1. UTTSS is a self-stabilizing algorithm for AU under a locally central strongly fair daemon 
on a chain (Proposition 7). 

2. UJ-TSS is a self-stabilizing algorithm for AU under a locally central strongly fair daemon 
on a chain even if one processor is crashed in the initial configuration (Proposition 8) . 

3. UJ-TSS is a self-stabilizing algorithm for AU under a locally central strongly fair daemon 
on a ring (Proposition 9). 

4. UJ-TSS is a self-stabilizing algorithm for AU under a locally central strongly fair daemon 
on a ring even if one processor is crashed in the initial configuration (Proposition 10). 

The proof of each of these 4 propositions is deduced from 3 lemmas as follows: 

1. Firstly, we prove that UJ-TSS verifies the closure of the safety of UAU under the con- 
sidered hypothesis (i.e. if there exists a configuration 7 such that 7 G Yi, then every 
configuration 7' reachable from 7 verify: 7' G Yi, see respectively Lemma 5, 11, 14, and 
20). 

The idea of the proof is as follows: we first prove that only the normal rule is enabled in a 
such configuration and then, we show that this rule respects the "locally synchronization" 
property. 

2. Secondly, we prove that UJ-TSS verifies liveness of UAU under the considered hypothesis 
in every execution starting from a legitimate configuration (i.e. every (correct) processor 
increments infinitely often its clock, see respectively Lemma 7, 12, 16, and 21). 

This proof is done in the following way: we first show that every (correct) processor 
executes infinitely often the normal rule in every execution starting from a configuration 
7 G Ti and then, we show that if a processor executes infinitely often the normal rule, it 
increments its clock in a finite time. 

3. Finally, we prove that UJ-TSS converges to a legitimate configuration of UAU under the 
considered hypothesis in every execution (i.e. there exists a configuration 7 G Ti in every 
execution, see respectively Lemma 10, 13, 19, and 22). 

In order to complete the proof we studying a potential function. 

4.3 Proof on a chain 

In this section, we assume that our algorithm is executed on a chain under a strongly fair locally 
central daemon. In the following we prove that UTTSS is a FTSS UAU (that implies that it 
is a FTSS AU) under these assumptions.. The proof contains two major steps: 

- First, we prove that our algorithm is self-stabilizing. 

- Second, we prove that our algorithm is self-stabilizing even if the initial configuration 
contains a crashed processor. 
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4.3.1 Proof of self-stabilization 



In this section, e = 70,71 ... denotes an execution oiUJ-TSS in which there is no crash. 
Firstly, we are going to prove the closure of our algorithm. 

Lemma 5 // there exists i > such that 7; G Ti, then 7^+1 G IV 

Proof. Assume that there exists i > such that 7, <E IV This implies that \/p G V, 
(Inter(Np)) 1 ' ^ and then the rule (Ci) is not enabled in 7*. Assume rule (C2) is enabled in 
7i. This implies that (Inter(Np)) 1 ' = {h} and that (Hp) 7 ' ^ h. Then, we have 7, ^ Ti (since 
if (ffp) 7 ' + h, then the following holds: 3q G iV p , | (Hp) 11 - (-ff g ) 7 ' | > 2). This contradiction 
allows us to conclude that the enabled processors in 7, are only enabled for rule (TV) . 

Let p be a processor which executes a rule during the step % — > 7i+i. Since the dae- 
mon is locally central, neighbors of p do not execute a rule during this step (their clock 
values remain identical). Assume the following holds: 3q G N p , | (H p ) lz+1 — (H q ) lt+1 \ > 2. 
By construction of rule (AT), (H p ) li+1 G (Inter(N p )) li . By construction, (Inter(N p )) li C 
{{H q )~ H - 1, (H q )' H , (Hq) 1 ' + 1}. It follows that Vg G N p , \ (Hp) lt+1 - (H q )~<' +1 | < 2 for each 
processor p which executes a rule (since \/q G N p , (H q )~ h = (H q ) lz+1 ). Overall, 7^+1 G Ti. □ 

Secondly, we prove the liveness of our algorithm. 

Lemma 6 V70 G T\, Vp G V, p executes the rule (N) in a finite time in any execution starting 
from 70 . 

Proof. Let 7 G Pl. Following Lemma 5, the only enabled rule is (N). We prove this property 
by induction. To this end, we define the following property (where p denotes a processor): 
(Pd) '■ If d is the distance between p and the nearest end of the chain, then p executes the rule 
(AT) in a finite time in any execution starting from 70. 

Initialization (d = 0): For all 7', configurations contained in an execution starting from 70, p 

is enabled for rule (N) since (Inter(N p )) 1 D {{Hq) 1 , (Hq) 1 + 1} where q denotes the 
only neighbor of p. Since the daemon is strongly fair, p executes a rule in a finite time. 

Induction (d > 0): Assume (Pd-i) is true. Denote q the neighbor of p which is on the half- 
chain starting with p which realize d. Assume by absurd that p is never enabled for rule 
(AT) in an execution e starting from 70 GT\. This implies that, for each configuration 7' 
which is contained in e, we have | (Inter(N p )) 1 \ = 1 (since if | (Inter(N p )) 1 \ = 0, then 
7' ^ Ti). Let us study the following cases: 

Case 1: q never executes a rule in e. 

It follows that: V7' G e, [Hq) 1 ' = (Hq) 1 ' + 2 or (Hq) 1 ' = (Hq) 1 ' - 2. By construction 

of (Inter(Nq)) 1 and of rule (N), the clock of q can not move from a value to the 
other in a step (recall that only rule (N) can be enabled for q since 7' G Ti by lemma 
5), this implies that q never executes the rule (N), which contradicts (Pd-i). 
Case 2: q executes a rule in a finite time in e. 

Let 7 — > 7' be the first step in which q executes the rule (AT). It is known that, for 
any 7 G Ti: 

f (Hq) 1 = ((H,) 1 1) A (Hq) 1 = ((H,) 1 + 1) (A) 
I (Inter(Np)) 1 \ = 1 I or 

( (H,) 1 = ((H,) 1 + 1) A (Hq) 1 = ((H,) 1 - 1) (B) 
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Let us study the following cases: 

Case 2.1: (A) is true in 7 and (B) is true in 7'. The clock move of q is in contra- 
diction with the construction of macro next. 

Case 2.2: (B) is true in 7 and (A) is true in 7'. The clock move of q is in contra- 
diction with the construction of macro next. 

This proves that case 2 is absurd. 

Since the two cases are absurd, we can conclude that p is enabled for rule (TV) in a finite 
time in every execution starting from a configuration 7 G Ti. Since the daemon is strongly 
fair, we can say that p executes rule (AT) in a finite time in every execution starting from 
70. Consequently (Pd) is true. 

□ 

The above property implies that V70 G Ti,\fp G V, p executes the rule (TV) infinitely often 
in every execution starting from 70. 

Lemma 7 If j G Ti, then any processor increments its clock in a finite time in any execution 
starting from 7. 

Proof. Assume by contradiction that there exists a processor p and an execution e starting 
from 70 G Ti such that p never increments its clock in e. 

Let be a = {H p ) la . By Lemma 6, p executes infinitely often (AT). But, it never incre- 
ments, that implies that next{{Inter{N p )) 1 , {Hp) 1 ) = min{{Inter{N p ) 1 )} at each execution 
of a rule by p (in a configuration 7). Since V7 G Fi,Vq G N p , \ {Hp) 1 — {Hq) 1 \ < 2 and 
V? G N p , {Inter{N p )f C {{Hq) 1 - 1, {H q f , {H q f + 1}, we have: min{{Inter{N p )f} < (Hp) 1 . 

Assume that there exists 7 G Li such that min{(Inter(N p )y} = {Hp) 1 . This implies that 
there exists q G N p such that {Hq) 1 = {Hp) 1 + 1. 

If q does not exist or if {Hq) 1 G {{Hp) 1 , {Hp) 1 + 1}, then {Hp) 1 + 1 G {Inte^Np)) 1 . This 
contradicts next{{Inter{N p )) 1 , {Hp) 1 ) = min{{Inter{N p ) 1 )}. We deduce that q exists and that 
{Hq) 1 = {Hp) 1 — 1. This implies that (iV) is not enabled for p. 

We can deduce that, if rule (iV) is executed by a processor p in a configuration 7, then 
min{{Inter{N p )) 1 } < {Hp) 1 . We can now state that, in at most a executions of p, H p = 0. 
The next execution of p increments its clock value, which contradicts the assumption on of p 
and the construction of e. Then, we obtain the announced result. □ 

In the following we prove the convergence of our algorithm. 

Let 7 G r, we define the following notations: 

Ve = {p, q} G E, w(e, 7) = | {Hp) 1 - {Hq) 1 \ 
Vp G V,zu{p,j) = max {uj{e,j)} 

e£E/p£e 

Vi G N,p(i,j) = \{e G E/u>{e,j) = i}\ 
Consider the following potential function: 




r — > n°° 

71 — > {.. . ,0, 0,p{k,j),p{k - 1,7), . . . ,p(2,7)) with k = max{u>(e,j)} 



We compare two values of P by lexicographic order. The following properties are verified: 

v 7 Gr,p( 7 ) > (...0,0) 
V7Gr,7GTi &P(i) = (...,0,0) 
V7Gr,7Gr\ri^p( 7 )>(...,o,o) 
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Lemma 8 If 7 £ T \ T\, then every step 7 — > 7' which contains the execution of a rule by a 
processor p such that vo(p) > 2 verifies P(j') < P("f). 

Proof. Let 7 G T \ T%. Let 7 — > 7' be a step which contains the execution of a rule by a 
processor p such that va(p) > 2 and 7 G T \ Ti. Since the daemon is locally central, neighbors 
of p do not modify their clocks during this step. Consider the following cases: 

Case 1: p's degree equals 1. 

Let q be its only neighbor and j = cu({p, q} 7 7) = | {Hp) 1 — (Hq) 1 \. (Inter(N p )) 1 = 
{(Hq) 1 - 1, (Hq) 1 , (Hq) 1 + 1}. It follows that p executed rule (AT). So, we have | {Hp) 1 ' - 
(Hq) 1 ' | < 1. Then: vo({p,q\,i) < 1 and : 

P( 7 ) = (..., 0, 0,p(k, j),p{k - 1, 7), • • ■ ,p(j, 7), • ■ ■ , J»(2, 7)) 
P{i) = (..., 0, 0,p(fc, 7 ),p(fc -1, 7 ),... 7) - 1, • • ■ ,P{2, 7)) 

And then: P( 7 ') < P( 7 ). 

Case 2: p's degree equals 2. 

Let 5 be the neighbor of p such that u>{{p, q}, 7) = 7) > 2 and denote j = uo({p, q}, 7) < 
nj(p, 7), e = {p, 17} and e = {p 7 q). Consider the following cases: 

Case 2.1: p executed the rule (TV) during the step 7 — > 7'. 

By construction of (Inter(Np)) 1 , we have u>(e,7') < 1 and u)(e, 7') < 1. Then: 

P(7) = (. . . ,0,0,p(fc,7),p(fc- 1,7),. . .,p(ra7(p,7),7),. . . ,p{j,j),.. ■ ,p( 2 ,7)) 
P(V) = (. . . ,0,p(fc,7), . . . ,p(ro(p,7),7) - 1, . . . ,p(j,j) - 1, . . . ,p(2,7)) 

And then: P(i) < P(j). 
Case 2.2: p executed the rule (C2) during the step 7 — > 7'. 

This case is similar to the case 2.1. 
Case 2.3: p executed the rule (Ci) during the step 7 — » 7'. 

Let us study the following cases: 

Case 2.3.1: We have: {Hq) 1 < (Hq) 1 . 

By hypothesis, we know that w(e,7) > w(e, 7) and then: 

{ Hp y > : ^-> 7 

1) Assume that (Hp) 1 > (Hqf 
We can say that: 

.(e, 1 )>(H,f-(H q y + ^Wl 



w(e,7 / ) = 



Then: a;(e, 7') <o;(e, 7). 
On the other hand, 



w(e, 7) > 2 



u(e ll ') = (Hq) 1 - 



(H q y 
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Then: cj(e,7') <uj(e, 7). 

In conclusion, we have: P(7') < P{l)- 

2) Assume that (ff p ) 7 < (ff,-) 7 + IMI+iMl. 

We have then: 

(i 



w(e,7') 



(g.r+(g,r 1 



Then: cj(e,7') <cj(e,7). 

In contrast, we have that: w(e, 7') > w(e, 7). But we can say that a>(e, 7') < 
w(e,7) (obvious if (i7 p ) 7 > (if,) 7 , due to the fact that (Hp) 1 > R-^r+O^) 7 ! in 
the contrary case). 

In conclusion, we have: P("i') < P{l)- 
Case 2.3.2: We have (if,) 7 > (Hq) 1 '. 

This case is similar to the case 2.3.1 when we permute q and q. 

That proves the result. □ 



Lemma 9 //70 G r\Ti, then every execution starting from 70 contains the execution of a rule 
by a processor p such that w(p,"fo) > 2. 

Proof. Let 70 € T \ F\. We reason by absurd. Assume that there exists an execution 
e = 7o7i ■ ■ ■ starting from 70 which contains no execution of a rule by processors p verifying 
w(p,7o) > 2. 

In a first time, assume that one of the end p of the chain verify: w(j>, 70) > 2. Denote q 
the only neighbor of p. If q is activated during e, we obtain a contradiction (since O7(g,7o) > 
70) > 2). If g is not activated during e, we obtain that Vi G N, (Inter(N p )) 1 ' — {(H q ) la — 
1, (H q ) 10 , [Hq) 10 + 1}, p is so always enabled for rule (iV). Since the daemon is strongly fair, p 
executes a rule in a finite time, that is contradictory. We can deduce that the two ends of the 
chain verifies: izr(p,jo) < 2. 

Under a strongly fair daemon, the only way for a processor to never execute a rule is to 
be never enabled from a given configuration. Here, we assume that all processors p verifying 
w {p,lo) > 2 never execute a rule, that implies that the network verify: 

{(InteriNp))^ = 
and 

Number processors of the chain from p\ to p n . Let i be the smallest integer such that 
w {Piilk) > 2 (remark that, by hypothesis, Pi+i never execute a rule, that implies that its clock 
value never changes). All these constraints allows us to say: 

' (Hp^y = (H P S k + 1 A (ff Pl+1 ) 7fc = {Hp^ - 2 (A) 
< or 

XH Pi -,V k = {H Pi ) lk - 1 A (H n+I y k = (H Pi y* + 2 (B) 

By a reasoning similar to these of the proof of Lemma 7, we can prove that all processors 
between po and Pi-\ executes infinitely often the rule (iV) in every execution starting from 7^ 
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even if pi never execute a rule (this is the case by hypothesis). By a reasoning similar to these 
of the proof of Lemma 7, we can state that H Pil not remains constant. The construction of 
7nter(iV J)i _ 1 ) implies that (interiN^)) 7 ' C {(H Pi ) lk -1, {H Pz ) lk , {H Pz ) lk + 1} for each j > k 
(since H pi does not change by hypothesis). 

If we are in the case (^4) , we can deduce that H Pi l takes infinitely often the value (H Pi ) 7fc — 1 
or (H Pi ) lk . We can see that p, is enabled by (TV) and (Ci) respectively. This contradicts the 
construction of k (recall that Pi is never enabled in e from 7^). 

If we are in the case (-B), we can deduce that H Pi _ 1 takes infinitely often the value (H Pi ) lk +1 
or (H Pi ) lk . We can see that Pi is enabled by (TV) and (Ci) respectively. This contradicts the 
construction of k (recall that pt is never enabled in e from 7^). 

This finishes the proof. □ 

Lemma 10 There exists i > such that 7, GT±. 

Proof. The result follows directly from Lemmas 8 and 9. □ 
Finally, we can conclude: 

Proposition 7 UJ-TSS is a self-stabilizing A U under a locally central strongly fair daemon. 

Proof. Lemmas 5, 7, and 10 allows us to say that UJ-TSS is a self-stabilizing UAU under 
a locally central strongly fair daemon. Then, we can deduce the result. □ 

4.3.2 Proof of self-stabilization in spite of a crash 

In this section, e = 70, 71 • ■ ■ denotes an execution of UJ-TSS such that a processor c is crashed 
in 70. 

Firstly, we are going to prove the closure of our algorithm under these assumptions. 
Lemma 11 If there exists i > such that 74 G Ti, then 7^+1 G T±. 

Proof. We can repeat the reasoning of Lemma 5 since the fact that a processor is crashed or 
not does not modify the proof. □ 
Secondly, we are going to prove the liveness of our algorithm under these assumptions. 

Lemma 12 //70 G Ti, then every processor p ^ c increments its clock in a finite time in e. 

Proof. We repeat the reasoning of Lemma 7 taking in account a processor peV*. 

In order to prove the property of Lemma 6, we take d as the distance between p and the end 
e of the chain which verifies: no processor between p and e is crashed. This implies that the 
processor q is not crashed. The case in which q is crashed appear in the case 1 of the induction. 

We can repeat the reasoning of the proof of Lemma 7 since the fact that a processor is 
crashed or not does not modify the proof. □ 

Now, we are going to prove the convergence of our algorithm under these assumptions. 

Lemma 13 There exists i > such that 7, £ T±, 

Proof. We repeat the reasoning of Lemma 10 taking in account a processor p G V*. 

We can repeat the reasoning of the proof of the property of Lemma 8 since the fact that a 
processor is crashed or not does not modify the proof. 
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In order to prove the property of Lemma 9, we take a numbering of processors which ensure 
the following property: no processor between po and pi (including) is crashed. It is always 
possible to choose such numbering since there exists at least one edge e such that w(e, 7^) > 2 
by hypothesis, that implies that there exists at least two processors p such that w(p,jk) > 2, 
that allows us to choose one which is not crashed. The case in which is crashed does not 
modify the proof since we assumed that this processor never execute a rule. □ 

Finally, we can conclude: 

Proposition 8 UTTSS is a self- stabilizing A U under a locally central strongly fair daemon 
even if a processor is crashed in the initial configuration. 

Proof. Lemmas 11, 12, and 13 allows us to say that UTTSS is a self-stabilizing UAU under 
a locally central strongly fair daemon even if a processor is crashed in the initial configuration. 
Then, we can deduce the result. □ 

4.4 Proof on a ring 

In this section, we assume that our algorithm is executed on a ring under a strongly fair locally 
central daemon. In fact, we are going to show that UTTSS is a FTSS UAU (that implies that 
it is a FTSS AU) under these assumptions.. The proof contains two major steps: 

- Firstly, we show that our algorithm is self-stabilizing under these assumptions. 

- Secondly, we show that our algorithm is self-stabilizing even if the initial configuration 
contains a crashed processor under these assumptions. 

4.4.1 Proof of self-stabilization 

In this section, e = 70,71 ■ ■ ■ denotes an execution oiUTTSS in which there is no crash. 
Firstly, we are going to prove the closure of our algorithm under these assumptions. 

Lemma 14 If there exists i > such that ji G Ti, then 7^+1 G T±. 

Proof. We can repeat the reasoning of the proof of Lemma 5 since the topology of the 
network has no impact on the proof. □ 
Secondly, we are going to prove the liveness of our algorithm under these assumptions. 

Lemma 15 V70 G T\, Mp G V, p executes rule (N) in a finite time in every execution starting 
from 70 . 

Proof. Let be 70 G Ti (we have seen in the proof of Lemma 5 that implies that only rule 
(N) can be enabled). Assume that there exists a processorp and an execution e = 70,71 ■ ■ ■ 
starting from 70 such that p never execute a rule in e. Since the daemon is strongly fair, that 
implies that 3k G N, Vj > k, p is not enabled in jj 

Since Processor p is not enabled, it verify: 3q G N p , {Hp) 13 = (H q ) 13 + 1 and (Hp) 73 = 
{Hq) 13 — 1. Let i be the smallest integer greater than k such that the step 7* — » 7^+1 contains 
the execution of rule by at least one neighbor of p. Let us study the following cases: 

Case 1: q and q simultaneously execute a rule during the step 7, — > 74+1 . 

Since p is not enabled in 7^+1 (by hypothesis) and that the execution of rule (TV) always 
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modifies the clock values (c/. proof of Lemma 7), we have: 




(H q y- + 1 and (H p ) 



(H g ) 



1 and (H p ) 



(# 9 -r +i + 1 



The clock move of q contradicts the construction of rule (AT) and {Inter{N p )) lt . Therefore, 
this case is impossible. 

Case 2: Only q executes a rule during the step 7; — » 7i+i. 

By construction of rule (N), {Inter{N q )) 1 \ and the fact that the execution of this rule 
must change the clock value, we have: {H q ) lz+1 G {{Hp) 1 ' , {Hp) 1 ' — 1}. Processor p is 
then enabled for rule (N) (since the clocks of p and q have not changed by hypothesis). 
This contradicts the construction of k. Therefore, this case is impossible. 

Case 3: Only q executes a rule during the step 74 — > 7i+i. 
This case is similar to case 2. 

Case 4: Neither q nor q executes a rule during the step 7,; — > 7i+i- 
By the three previous contradiction, it is the only possible case. 

We can deduce that Vj > k, q and q do not execute a rule in 7^, that implies that their 
clock values remains constant from 7^. If we repeat the previous reasoning, we obtain that it is 
possible only if the second neighbor of q has a clock value equal to {H p ) lk + 2 and if the second 
neighbor of q have a clock value equals to {H p ) lk — 2, etc.. 

Since the ring has a finite length n, we obtain (following the same reasoning) there exists two 
neighboring processors pi,P2 such that {H Pl ) lk = {H p ) lk + a and {H P2 ) lk = {H p ) lk — (3 (with 
a and (3 integers greater or equal to 1 depending on the parity of n). Therefore, | {H pi ) lk — 
{H P2 ) lk I = a + j3 > 2. Then, we obtain that jk ^ Ti, which contradicts Lemma 14 and proves 
the lemma. □ 

Lemma 16 //70 6 Ti, then every processor increments its clock in a finite time in e. 

Proof. The proof is similar to these of Lemma 7 using Lemma 15 (instead of Lemma 6) since 
the topology of the network has no impact on the proof. □ 

Now, we are going to prove the convergence of our algorithm under these assumptions. 

In the following, we consider the potential function P previously defined and use similar 
arguments as for the proof of Lemma 10. 

Lemma 17 If 7 G T \ Ti, then every step 7—^7' which contains the execution of a rule of a 
processor p such that vo{p) > 2 verifies P{~f') < -P(7). 

Proof. The proof is similar to the proof of Lemma 8 since the topology of the network has 
no impact on the proof (note that the case 1 is impossible on a ring). □ 

Lemma 18 // 70 G T \ Ti, then every execution starting from 70 contains the execution of a 
rule of a processor p such that w{p, 70) > 2. 

Proof. Let 70 G T \ T\. Assume, by contradiction, that there exists an execution e = 
7071 . . • starting from 70 which contains no execution of a rule by any processor p which verifies 
w{p, 70) > 2. Since the daemon is strongly fair, this implies that 3k G N,Vj > k, p is not 
enabled in jj 
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Let q be the neighbor of p verifying u>({p, q}, 7fc) = tzr{p, 7fc). By hypothesis, q never executes 
a rule. Therefore, its clock value remains constant. Let us study the following cases: 

Case 1: | (H q p - {Hjf» | < 1 

It follows that p is enabled for the rule (TV) since | (Inter(N p )) 13 \ > 2. This contradicts 
the construction of k. 

Case 2: | (H q )*" - {Htf* | = 2 

It follows that p is enabled for the rule (Ci) since (Inter(N p )) lj = {h} and {H p )~ 1j ^ h 
(because m(p, 7?) = zu(p,-fk) > 2). This contradicts the construction of k. 

Case 3: | (H q p - (H q p \ > 3 

By the two previous contradictions, it is the only possible case. Since p is not enabled (by 
hypothesis), we obtain that: 



{Inter(N p )) 13 
Vj > fc, { and 



2 



2 



Since the clock values of p and g are constants by hypothesis, we can deduce that the one of 
q remains also constant (because, in the contrary case, p becomes enabled, that contradicts 

9 r or (H q yi > (H p y> > (H q ) 



the hypothesis). It follows: (H q ) 13 < {H p ) 1] < {Hq) 1 ' or {H q ) 13 > (H p ) 1] > (H q )^ 



Since this reasoning holds for every processor on the ring, we can always label the nodes of 
any ring by po, pi y . ■ ,p n such that the following property is satisfied : H po < H pi < . . . < H Pn . 

But, the previous reasoning for Processor H po implies that we have: H Pn < H po < H pi . It 
is impossible to satisfy simultaneously these two inequalities, that proves the result □ 

Lemma 19 There exists i > such that ji GT\. 

Proof. The result follows directly from Lemmas 17 and 18. □ 
Finally, we can conclude: 

Proposition 9 UTTSS is a self-stabilizing A U under a locally central strongly fair daemon. 

Proof. Lemmas 14, 16, and 19 lead to the conclusion that UTTSS is a self-stabilizing UAU 
under a locally central strongly fair daemon. 

□ 

4.4.2 Proof of self-stabilization in spite of a crash 

In this section, e = 70, 71 . . . denotes an execution of UJ-TSS such that a processor c is crashed 
in 70. 

Firs, we prove the closure of our algorithm, then we prove the convergence property. 
Lemma 20 // there exists i > such that ji £ Ti, then 7^+1 G F±. 

Proof. This proof is similar to the proof of Lemma 14 since the fact that a processor is 
crashed or not does not modify the proof. □ 
Secondly, we are going to prove the liveness of our algorithm under these assumptions. 
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Lemma 21 If 70 £ Ti, then every processor p ^ c increments its clock in a finite time in e. 

Proof. This proof is similar to the proof of Lemma 16. Note that the crash of a processor is 
possible only for the case 4. □ 
In the following we prove the convergence of our algorithm. 

Lemma 22 There exists i > such that 7, £ Ti. 

Proof. This proof is similar to the proof of Lemma 19 since the fact that a processor is 
crashed or not does not modify the proof. □ 
Finally, we can conclude: 

Proposition 10 UTTSS is a self-stabilizing AU under a locally central strongly fair daemon 
even if a processor is crashed in the initial configuration. 

Proof. Lemmas 20, 21, and 22 allows us to say that UTTSS is a self-stabilizing UAU under 
a locally central strongly fair daemon even if a processor is crashed in the initial configuration. 
Then, we can deduce the result. □ 

4.5 Conclusion 

We are now in position to state our final result: 

Proposition 11 UTTSS is a (0,l)-ftss AU on a chain or a ring under a locally central 
strongly fair daemon. 

Proof. This a direct consequence of Propositions 7, 8, 9, and 10. □ 



5 Conclusion 

We presented the first study of FTSS protocols for dynamic tasks in asynchronous systems, and 
showed the intrinsic problems that are induced by the wide range of faults that we address. The 
combination of asynchrony and maintenance of liveness properties implies many impossibility 
results, and the deterministic protocol that we provided for one of the few remaining cases is 
optimal with respect to all impossibility results and containment measures. 

There remains the open case of protocols that neither satisfy the minimality or the priority 
properties (see Table 1). We conjecture that at least one of those properties is necessary for the 
purpose of deterministic self-stabilization, yet none of those could be required for deterministic 
weak stabilization [16] (weak stabilization is a weaker property than self-stabilization since 
existence of execution reaching a legitimate configuration is guaranteed) . As recent results [7] 
hint that weak-stabilizing solutions could induce probabilistic self-stabilizing ones, this raises 
the open question of the possibility of probabilistic FTSS for dynamic tasks in asynchronous 
systems. 
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